When the host has been already infected and it is a member of the botnet, the host beginning to generate a large amount of clicks on advertisements. With each click on an advertisment they are making money.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4VM0vtwsBLVM-Rbjczk_Be1tbkib2VDrzY7rZTjoDJw0s6tVRoieTwmLgU-9JwM_Xk1mB-bCJwUnLwkbt7Cs-b8AWdlT91CHKjArdJuem5cE2rsqG3dYKIUpkPK824W6NXADhSS3T5aY/s640/ZeroAccess_Fraud1.png)
I'm going to show you some Ads which have been clicked. (The links can be removed with the passage of time). The majority of the advertisments are from porn sites.
hxxp:// 81.17.18.18/UFxHW1hYR1hQUUdbXEZWCgUADVRdWhkdWFgYDRlYUVwTWQ==
hxxp:// 95.211.198.25/?clid=43pt11qdp185z0
hxxp:// 108.59.9.168/check.php?tim=1372006112.8719&p=sc61a47575def348b9548c6f0163f50a1c&subid=1296741&affid=269
hxxp:// 108.59.9.168/onclick.php?tim=1372006112.8719&p=sc61a47575def348b9548c6f0163f50a1c&subid=1296741&affid=269&z=142&ch=e9d2bc0d8051a4ed65e44b7741e71895
hxxp:// 108.59.9.168/local_bidding/onclick.php?affid=269&subid=1296741&p=lb_5d9455820f97d61b5eea7bb6c91aea70
hxxp:// 95.211.221.146/speedclicks/in.php?pid=44150&spaceid=210916
hxxp:// 95.211.221.146/speedclicks/out.php?1=1&doc=TOyzbE0DTWV9uJY0j7eiQlQTJgvdnJVb7OcviyVYVbhhdj7w%2BWZHLc%2F4ZpKP6RWb&pid=44150&spaceid=210916&xcheck=RJI%2BAl3WVkZe8dx5Y78SiAkOrlXV%2BHOCycakkOkiwPUzipDXcIJuh%2Fs1E7mliTnmGneP4d%2BuancuIEtZs5aySfwriC5rhmOdHY5dPNnb2S%2B5%2BI0a8I2UAW9gCtWt9OwFgBlHNSt6l22BW34mEUKNGw%3D%3D
hxxp:// 66.6.21.144/services/directlinkhandler.ashx?WID=125576487975&promocode=BCODEJ0000045_6|7810|0|es|1|18704|210916&ptype=1
hxxp:// 66.6.21.144/live-sex-chats/?|7810|0|es|1|18704|210916&ptype=1&removewl=0
hxxp:// 93.184.220.90/App_Themes/master.css?v=190&s=635065331693200
hxxp:// 93.184.220.90/App_Themes/wlg_uni_bla_red/private.css?v=190&s=635048126891371
hxxp:// 93.184.220.90/App_Themes/wlg_uni_bla_red/global.css?v=190&s=635058680419510
hxxp:// 173.194.67.95/ajax/libs/jquery/1.6.4/jquery.min.js
hxxp:// 93.184.220.90/App_Themes/wlg_uni_bla_red/images/mainBackground.gif
hxxp:// 93.184.220.90/App_Themes/wlg_uni_bla_red/images/mainBackgroundCenter.png
hxxp:// 66.6.21.144/Services/ScriptGenerator/p,-4601,/live-sex-chats,190.js
hxxp:// 93.184.220.90/App_Themes/PrivateImages/xcams4u/xcams4u_Logo08_03_12_710_03_1.gif?v=190
hxxp:// 93.184.220.90/App_Themes/images/flags/cultures/en-US.png?v=190
hxxp:// 93.184.220.90/App_Themes/images/Over18_popUp/18_pop_up_black.jpg
hxxp:// 93.184.220.90/App_Themes/wlg_uni_bla_red/images/header/new_login_box.png
hxxp:// 93.184.220.90/wl/App_Themes/PrivateImages/xcams4u/xcams4u_Top08_03_12_710_03_2.gif?v=105
hxxp:// 66.6.21.144/Services/NarrowMenu.ashx?act=count&am=1&ac=635075849646385174
hxxp:// 93.184.220.90/App_Themes/images/flags/cultures/languages.png
hxxp:// 93.184.220.90/App_Themes/images/lf_menu_btm_border.gif
Sophos has published a great document here They have calculated how much money this botnet is making. The picture below from the Shopos document shows us an approximate calculation.
In my opinion, that is a huge amount of money!!!
0 comments:
Post a Comment